Seems like whatever certificate your upstream has doesn’t contain 192.168.1.7. What exactly is running there? What domain(s) are its certificate valid for?
You can use the tls_server_name transport option to set which domain to use for TLS-SNI, see reverse_proxy (Caddyfile directive) — Caddy Documentation
Does whatever thing is running there have an HTTP port (that doesn’t redirect HTTP->HTTPS) that you could proxy to instead? It’s preferred to proxy over HTTP because HTTPS has some overhead.